Commit 1c38863b authored by JC Brand's avatar JC Brand

Add more documentation around file sharing and CORS

parent 9d0cfe8f
...@@ -2,22 +2,32 @@ ...@@ -2,22 +2,32 @@
<div id="banner"><a href="https://github.com/jcbrand/converse.js/blob/master/docs/source/features.rst">Edit me on GitHub</a></div> <div id="banner"><a href="https://github.com/jcbrand/converse.js/blob/master/docs/source/features.rst">Edit me on GitHub</a></div>
.. _`features`:
======== ========
Features Features
======== ========
Open chats via URL File sharing (`XEP-0363 HTTP File Upload <https://xmpp.org/extensions/xep-0363.html>`_)
================== =======================================================================================
From version 3.3.0, converse.js now has the ability to open chats (private or Converse supports file sharing by first uploading the file to a file server and
groupchat) based on the URL fragment. then sending the file's URL to the recipient.
A room (aka groupchat) can be opened with a URL fragment such as `#converse/room?jid=room@domain` The file server that is used is configured by the XMPP server admin, and is not
and a private chat with a URL fragment such as something that Converse has any control over.
`#converse/chat?jid=user@domain`.
Often when people report file sharing not working, it's because the file server
is not configured to allow file uploads from other domains.
XEP-0384 OMEMO Encryption The file server needs to be configured for `Cross-Origin resource sharing <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_
========================= (known by the acronym CORS). Specifically, it needs to add a
``Access-Control-Allow-Origin`` header which includes the domain hosting
Converse.
End to end message encryption (`XEP-0384 OMEMO <https://xmpp.org/extensions/xep-0363.html>`_)
=============================================================================================
Converse supports OMEMO encryption based on the Converse supports OMEMO encryption based on the
`Signal Protocol <https://github.com/signalapp/libsignal-protocol-javascript>`_. `Signal Protocol <https://github.com/signalapp/libsignal-protocol-javascript>`_.
...@@ -83,6 +93,18 @@ articles: ...@@ -83,6 +93,18 @@ articles:
* `What's wrong with webcrypto? <https://tonyarcieri.com/whats-wrong-with-webcrypto>`_ * `What's wrong with webcrypto? <https://tonyarcieri.com/whats-wrong-with-webcrypto>`_
* `Heartbleed and JavaScript crypto <https://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/>`_ * `Heartbleed and JavaScript crypto <https://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/>`_
Open chats via URL
==================
From version 3.3.0, converse.js now has the ability to open chats (private or
groupchat) based on the URL fragment.
A room (aka groupchat) can be opened with a URL fragment such as `#converse/room?jid=room@domain`
and a private chat with a URL fragment such as
`#converse/chat?jid=user@domain`.
Notifications Notifications
============= =============
......
...@@ -20,10 +20,11 @@ The latest versions of these files are available at these URLs: ...@@ -20,10 +20,11 @@ The latest versions of these files are available at these URLs:
* https://cdn.conversejs.org/dist/converse.min.js * https://cdn.conversejs.org/dist/converse.min.js
* https://cdn.conversejs.org/css/converse.min.css * https://cdn.conversejs.org/css/converse.min.css
It's however recommended that you load a specific version of Converse, to avoid If you are integrating Converse into an existing website or app, then we recommend
breakage when a new version is released and the above URLs load new resources. that you load a specific version of Converse. Otherwise your website or app
might break when a new backwards-incompatible version of Converse is released.
To load a specific version of Converse you can put the version in the URL, like so: To load a specific version of Converse you can put the version in the URL:
* https://cdn.conversejs.org/4.0.4/dist/converse.min.js * https://cdn.conversejs.org/4.0.4/dist/converse.min.js
* https://cdn.conversejs.org/4.0.4/css/converse.min.css * https://cdn.conversejs.org/4.0.4/css/converse.min.css
...@@ -33,28 +34,19 @@ via the *script* and *link* tags: ...@@ -33,28 +34,19 @@ via the *script* and *link* tags:
.. code-block:: html .. code-block:: html
<link rel="stylesheet" type="text/css" media="screen" href="https://cdn.conversejs.org/css/converse.min.css"> <link rel="stylesheet" type="text/css" media="screen" href="https://cdn.conversejs.org/4.0.4/css/converse.min.css">
<script src="https://cdn.conversejs.org/dist/converse.min.js" charset="utf-8"></script> <script src="https://cdn.conversejs.org/4.0.4/dist/converse.min.js" charset="utf-8"></script>
.. note:: Instead of always loading the latest version of Converse via the
CDN, it's generally better to load a specific version (preferably the
latest one), to avoid breakage when new backwards-incompatible versions are
released.
Option 2: Building the files yourself Option 2: Building the files yourself
------------------------------------- -------------------------------------
Instead of using the CDN, you can also create your own builds and host them Instead of using the CDN, you can also create your own builds and host them yourself.
yourself.
Have a look at the :ref:`creating_builds` section on how to create your own Have a look at the :ref:`creating_builds` section on how to create your own builds.
builds.
Long story short, you should be able to do it by running `make dist`, but you In short, you should be able to do it by running ``make dist`` inside a
might need to install some development libraries on your system first checkout of the `Converse repo <http://github.com/conversejs/converse.js/>`_.
(e.g. gcc, libffi-dev and ruby-dev).
Besides including the ``converse.min.js`` and ``converse.min.css`` files, Besides including the ``converse.min.js`` and ``converse.min.css`` files,
you'll also need to make sure that the ``webfonts`` directory is available in you'll also need to make sure that the ``webfonts`` directory is available in
...@@ -64,8 +56,8 @@ the same location as ``converse.min.css``. ...@@ -64,8 +56,8 @@ the same location as ``converse.min.css``.
Initializing Converse Initializing Converse
--------------------- ---------------------
You'll then need to initialize Converse with configuration settings relevant to your requirements. You'll need to initialize Converse with configuration settings relevant to your requirements.
Refer to the :ref:`configuration-settings` section for info on all the available configuration settings. Take a look at the :ref:`configuration-settings` section for info on all the available settings.
To quickly get started, you can put the following JavaScript code at the To quickly get started, you can put the following JavaScript code at the
bottom of your page (after the closing *</body>* element):: bottom of your page (after the closing *</body>* element)::
...@@ -78,7 +70,7 @@ bottom of your page (after the closing *</body>* element):: ...@@ -78,7 +70,7 @@ bottom of your page (after the closing *</body>* element)::
</script> </script>
The `index.html <https://github.com/jcbrand/converse.js/blob/master/index.html>`_ file inside the The `index.html <https://github.com/jcbrand/converse.js/blob/master/index.html>`_ file inside the
Converse repository may serve as a nice usable example. Converse repository serves as a nice, usable example.
Fullscreen version Fullscreen version
------------------ ------------------
...@@ -103,15 +95,19 @@ For example:: ...@@ -103,15 +95,19 @@ For example::
Where to go from here? Where to go from here?
====================== ======================
Have a look at the various :ref:`features <features>` that Converse provides, for some of
them you might have to do more setup work, like configuring an XMPP server or
webserver.
You might want to implement some kind of persistent single-session solution for You might want to implement some kind of persistent single-session solution for
your website, where users authenticate once in your website and are then your website, where users authenticate once in your website and are then
automatically logged in to the XMPP server as well. For more info on how this automatically logged in to the XMPP server as well. For more info on how this
can be achieved, read: :ref:`session-support`. can be achieved, read: :ref:`session-support`.
Perhaps you want to create your own custom build of Converse? Then head over Perhaps you want to create your own custom build of Converse? Then head over
to the :doc:`builds` section, or more generally the :doc:`development` to the :doc:`builds` section, or more generally the :doc:`development <development>`
documentation. documentation.
Do you want to know how to theme Converse? Then read the :doc:`theming` Do you want to know how to theme Converse? Then read the :doc:`theming <theming>`
documentation. documentation.
...@@ -129,30 +129,35 @@ configure Converse to connect to a websocket URL. ...@@ -129,30 +129,35 @@ configure Converse to connect to a websocket URL.
The Webserver The Webserver
============= =============
.. _CORS:
Overcoming cross-domain request restrictions
--------------------------------------------
Lets say the domain under which you host Converse is *example.org:80*, Lets say the domain under which you host Converse is *example.org:80*,
but the domain of your connection manager or the domain of but the domain of your connection manager or the domain of
your HTTP file server (for `XEP-0363 HTTP File Upload <https://xmpp.org/extensions/xep-0363.html>`_) your HTTP file server (for `XEP-0363 HTTP File Upload <https://xmpp.org/extensions/xep-0363.html>`_)
is at a different domain, either a different port like *example.org:5280* or a is at a different domain, either a different port like *example.org:5280* or a
different name like *elsehwere.org*. different name like *elsehwere.org*.
In cases like this, cross-domain request restrictions of the browser come into In such a situation the same-origin security policy of the browser comes into force.
force. For security purposes a browser does not by default allow a website to For security purposes a browser does not by default allow a website to
make certain types of requests to other domains. make certain types of requests to other domains.
One solution is to add a reverse proxy to a webserver such as Nginx or Apache to ensure that There are two ways in which you can solve this problem.
all services you use are hosted under the same domain name and port.
.. _CORS:
1. Cross-Origin Resource Sharing (CORS)
---------------------------------------
CORS is a technique for overcoming browser restrictions related to the
`same-origin security policy <https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy>`_.
Alternatively you can use something called `CORS <https://en.wikipedia.org/wiki/Cross-origin_resource_sharing>`__ CORS is enabled by adding an ``Access-Control-Allow-Origin`` header. Where this
(Cross-origin resource sharing). is configured depends on what webserver is used for your file upload server.
By enabling CORS on the non-local domains (e.g. *elsewhere.org*, when
*example.org* is the local domain), you allow the browser to make requests to it.
2. Reverse-proxy
----------------
Another possible solution is to add a reverse proxy to a webserver such as Nginx or Apache to ensure that
all services you use are hosted under the same domain name and port.
Examples: Examples:
********* *********
......
...@@ -56,13 +56,30 @@ One simple trick to improve performance is to set ``show_only_online_users: true ...@@ -56,13 +56,30 @@ One simple trick to improve performance is to set ``show_only_online_users: true
This will (usually) reduce the amount of contacts that get rendered in the This will (usually) reduce the amount of contacts that get rendered in the
roster, which eases one of the remaining performance bottlenecks. roster, which eases one of the remaining performance bottlenecks.
404 response for an OPTIONS request File upload is not working
=================================== ==========================
This often happens when trying to upload a file to the XEP-0363 file server One of the most common causes for file upload not working is a lack of CORS
which is under a different domain or port than the one that's hosting Converse. support by the file server to which the file should be uploaded.
An OPTIONS request usually a so-called CORS stands for `Cross-Origin Resource Sharing (CORS) <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_
and is a technique for overcoming browser restrictions related to the
`same-origin security policy <https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy>`_.
For example, if the domain under which you host Converse is *example.org*,
but the domain of your of your HTTP file server (for `XEP-0363 HTTP File Upload <https://xmpp.org/extensions/xep-0363.html>`_)
is *upload.example.org*, then the HTTP file server needs to enable CORS.
If you're not sure what the domain of the HTTP file server is, take a look at
the console of your browser's developer tools.
You might see an error like this one::
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://example.de:5443/...
You might also see a 404 HTTP response for an OPTIONS request in the `Network Tab` of your browser's developer tools.
An OPTIONS request is usually a so-called
`CORS pre-flight request <https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS>`_ `CORS pre-flight request <https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS>`_
which is used by the browser to find out whether the endpoint supports which is used by the browser to find out whether the endpoint supports
`Cross-Origin Resource Sharing (CORS) <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_. `Cross-Origin Resource Sharing (CORS) <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_.
...@@ -70,6 +87,11 @@ which is used by the browser to find out whether the endpoint supports ...@@ -70,6 +87,11 @@ which is used by the browser to find out whether the endpoint supports
If you get a 404 response for such a request, then the endpoint does NOT If you get a 404 response for such a request, then the endpoint does NOT
support CORS and the browser will prevent requests from being made to it. support CORS and the browser will prevent requests from being made to it.
This will prevent you from uploading images to it. This will prevent you from uploading files to it.
How you solve a CORS-related issue depends on your particular setup, specifically it depends on
what you're using as the HTTP file server.
CORS is enabled by adding an ``Access-Control-Allow-Origin`` header, so you'll
have to configure your file server to add this header.
Take a look at the section ":ref:`CORS`" for more information on how to solve this problem.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment